Detect Confuser 1.8 r75291 methods encrypter (JIT)
This commit is contained in:
parent
29448fe3cb
commit
754c5a1400
|
@ -44,6 +44,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
v17_r74021,
|
v17_r74021,
|
||||||
v18_r75257,
|
v18_r75257,
|
||||||
v18_r75288,
|
v18_r75288,
|
||||||
|
v18_r75291,
|
||||||
v18_r75402,
|
v18_r75402,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -97,8 +98,12 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 39:
|
case 39:
|
||||||
if (!DotNetUtils.callsMethod(initMethod, "System.Void System.Console::WriteLine(System.Char)"))
|
if (!DotNetUtils.callsMethod(initMethod, "System.Void System.Console::WriteLine(System.Char)")) {
|
||||||
theVersion = ConfuserVersion.v17_r74021;
|
if (DotNetUtils.callsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
|
||||||
|
theVersion = ConfuserVersion.v17_r74021;
|
||||||
|
else
|
||||||
|
theVersion = ConfuserVersion.v18_r75291;
|
||||||
|
}
|
||||||
else if (DotNetUtils.callsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
|
else if (DotNetUtils.callsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
|
||||||
theVersion = ConfuserVersion.v18_r75257;
|
theVersion = ConfuserVersion.v18_r75257;
|
||||||
else
|
else
|
||||||
|
@ -194,6 +199,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v17_r74021: return initializeKeys_v17_r73404();
|
case ConfuserVersion.v17_r74021: return initializeKeys_v17_r73404();
|
||||||
case ConfuserVersion.v18_r75257: return initializeKeys_v17_r73404();
|
case ConfuserVersion.v18_r75257: return initializeKeys_v17_r73404();
|
||||||
case ConfuserVersion.v18_r75288: return initializeKeys_v17_r73404();
|
case ConfuserVersion.v18_r75288: return initializeKeys_v17_r73404();
|
||||||
|
case ConfuserVersion.v18_r75291: return initializeKeys_v17_r73404();
|
||||||
case ConfuserVersion.v18_r75402: return initializeKeys_v18_r75402();
|
case ConfuserVersion.v18_r75402: return initializeKeys_v18_r75402();
|
||||||
default: throw new ApplicationException("Invalid version");
|
default: throw new ApplicationException("Invalid version");
|
||||||
}
|
}
|
||||||
|
@ -299,6 +305,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v17_r74021: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
case ConfuserVersion.v17_r74021: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||||
case ConfuserVersion.v18_r75257: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
case ConfuserVersion.v18_r75257: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||||
case ConfuserVersion.v18_r75288: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
case ConfuserVersion.v18_r75288: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||||
|
case ConfuserVersion.v18_r75291: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||||
case ConfuserVersion.v18_r75402: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
case ConfuserVersion.v18_r75402: return initializeMethodDataIndexes_v17_r73477(compileMethod);
|
||||||
default: throw new ApplicationException("Invalid version");
|
default: throw new ApplicationException("Invalid version");
|
||||||
}
|
}
|
||||||
|
@ -443,6 +450,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v17_r74021: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
case ConfuserVersion.v17_r74021: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
||||||
case ConfuserVersion.v18_r75257: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
case ConfuserVersion.v18_r75257: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
||||||
case ConfuserVersion.v18_r75288: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
case ConfuserVersion.v18_r75288: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
||||||
|
case ConfuserVersion.v18_r75291: return decrypt_v17_r73479(peImage, fileData, ref dumpedMethods);
|
||||||
case ConfuserVersion.v18_r75402: return decrypt_v18_r75402(peImage, fileData, ref dumpedMethods);
|
case ConfuserVersion.v18_r75402: return decrypt_v18_r75402(peImage, fileData, ref dumpedMethods);
|
||||||
default: throw new ApplicationException("Unknown version");
|
default: throw new ApplicationException("Unknown version");
|
||||||
}
|
}
|
||||||
|
@ -758,6 +766,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
case ConfuserVersion.v18_r75288:
|
case ConfuserVersion.v18_r75288:
|
||||||
minRev = 75288;
|
minRev = 75288;
|
||||||
|
maxRev = 75288;
|
||||||
|
return true;
|
||||||
|
|
||||||
|
case ConfuserVersion.v18_r75291:
|
||||||
|
minRev = 75291;
|
||||||
maxRev = 75369;
|
maxRev = 75369;
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user